1
00:00:00,940 --> 00:00:05,470
What about group managed service accounts, or gMSAs for short?

2
00:00:05,470 --> 00:00:09,150
Say that three times quickly, by the way. The situation

3
00:00:09,150 --> 00:00:11,960
here is our user accounts are for humans.

4
00:00:11,960 --> 00:00:14,820
They're interactive identities, right? And that's fine.

5
00:00:14,820 --> 00:00:15,750
That's the way it should be.

6
00:00:15,750 --> 00:00:15,980
Well,

7
00:00:15,980 --> 00:00:20,050
what about when you need to provide a security context for a Windows

8
00:00:20,050 --> 00:00:25,370
service or perhaps for a scheduled task or perhaps for a load

9
00:00:25,370 --> 00:00:28,780
balanced server farm like you see in this diagram I created? You

10
00:00:28,780 --> 00:00:32,230
might have an IIS‑based server farm. And if you've worked with

11
00:00:32,230 --> 00:00:33,810
Internet Information Services,

12
00:00:33,810 --> 00:00:37,600
you know that you have the application pool that, in turn,

13
00:00:37,600 --> 00:00:40,360
requires some kind of service account identity.

14
00:00:40,360 --> 00:00:43,790
Now there's special identities called anti‑authority accounts

15
00:00:43,790 --> 00:00:46,110
that you're probably familiar with like system,

16
00:00:46,110 --> 00:00:50,710
local system service, network service, everyone, authenticated users,

17
00:00:50,710 --> 00:00:54,520
interactive users. Those are great, but those are dynamically

18
00:00:54,520 --> 00:00:58,810
populated identities. You probably need a dedicated, non‑interactive

19
00:00:58,810 --> 00:01:02,700
service account to attach to these services so that you can give

20
00:01:02,700 --> 00:01:04,340
that service account permissions.

21
00:01:04,340 --> 00:01:07,340
This is the use case for the managed service account.

22
00:01:07,340 --> 00:01:10,810
Now, there are two flavors or types of managed service accounts,

23
00:01:10,810 --> 00:01:15,470
standalone, which is available only on a single server, or what really is

24
00:01:15,470 --> 00:01:19,240
the standard nowadays, the group managed service account. What are some of

25
00:01:19,240 --> 00:01:21,750
the value propositions of using one of these?

26
00:01:21,750 --> 00:01:25,580
Well, the main thing is that you don't have to worry about password changes.

27
00:01:25,580 --> 00:01:26,190
In other words,

28
00:01:26,190 --> 00:01:30,840
if you're configuring an IIS app pool service identity and it's not a

29
00:01:30,840 --> 00:01:34,490
gMSA, and you do a password change on the service account that you

30
00:01:34,490 --> 00:01:36,750
might've manually created in Active Directory,

31
00:01:36,750 --> 00:01:40,120
then you better quickly update that password in the app pools, or

32
00:01:40,120 --> 00:01:43,970
you're going to have service breakdowns. When you do a gMSA, Active

33
00:01:43,970 --> 00:01:46,750
Directory automatically manages the password. And the

34
00:01:46,750 --> 00:01:49,160
auto‑generated passwords are super long,

35
00:01:49,160 --> 00:01:52,800
240 characters, and we have the security advantage that none

36
00:01:52,800 --> 00:01:56,800
of your administrators know that gMSA password. It's private

37
00:01:56,800 --> 00:01:58,470
to Active Directory. What else?

38
00:01:58,470 --> 00:01:58,820
Well,

39
00:01:58,820 --> 00:02:02,300
we can instruct Active Directory to rotate or change the

40
00:02:02,300 --> 00:02:04,410
password automatically and wait for it.

41
00:02:04,410 --> 00:02:08,550
The password change is automatically picked up by registered applications.

42
00:02:08,550 --> 00:02:09,690
This is so cool.

43
00:02:09,690 --> 00:02:10,250
Also,

44
00:02:10,250 --> 00:02:13,040
what's particularly cool about the group managed

45
00:02:13,040 --> 00:02:15,250
service account is that your credential,

46
00:02:15,250 --> 00:02:19,710
your gMSA is then shareable across multiple computers instead of having to

47
00:02:19,710 --> 00:02:23,570
have a separate standalone MSA for each server in your farm,

48
00:02:23,570 --> 00:02:24,910
which is not very scalable.

49
00:02:24,910 --> 00:02:27,040
Now let's take a look at my diagram at right.

50
00:02:27,040 --> 00:02:30,170
The high‑level overview for implementing a gMSA is as

51
00:02:30,170 --> 00:02:33,080
follows. You're going to create an Active Directory group of

52
00:02:33,080 --> 00:02:35,320
some kind, a domain local group, say,

53
00:02:35,320 --> 00:02:39,910
or a global group that consists of your web servers that are going to

54
00:02:39,910 --> 00:02:42,480
be, in this case, load balanced. In this example,

55
00:02:42,480 --> 00:02:44,630
I'm using IIS web servers.

56
00:02:44,630 --> 00:02:48,470
So I've got those computer accounts. We'll also want to include if

57
00:02:48,470 --> 00:02:52,020
we're going to apply a gMSA to a Windows service,

58
00:02:52,020 --> 00:02:55,720
we would aggregate the servers that run that service, or if we were

59
00:02:55,720 --> 00:02:58,770
doing a distributed scheduled task, same thing.

60
00:02:58,770 --> 00:03:01,970
So you organize the servers in question who will consume the

61
00:03:01,970 --> 00:03:04,910
gMSA into an Active Directory group. Then,

62
00:03:04,910 --> 00:03:07,040
when you define the managed service account,

63
00:03:07,040 --> 00:03:10,380
you link it both to the group, and then lastly,

64
00:03:10,380 --> 00:03:12,880
you link the gMSA to the service.

65
00:03:12,880 --> 00:03:13,840
Isn't that beautiful?

66
00:03:13,840 --> 00:03:23,000
I'll do a demo so that the theory really locks over, but I've certainly covered what you need to know for your AZ‑800 exam success.